Company hires 'remote worker' who turns out to be North Korean hacker

A tech firm that hired a remote-working engineer for an IT team was shocked to discover that the ‘American’ worker was a North Korean hacker using a VPN.

Hacker man working on computers alone in dark room, rear view.
Hacker man working on computers alone in dark room, rear view.

A tech firm that hired a remote-working engineer for an IT team was shocked to discover that the ‘American’ worker was in fact a North Korean hacker.

Cybersecurity firm KnowBe4 posted a job advert and received a CV from, and later conducted video interviews with, the 'employee' - who also passed background checks and provided references before being hired as a principal software engineer.

The employee was sent a machine to start his remote job in the US - but the machine went to an address shared by other ‘IT mules’ while the ‘employee’ used a VPN to access it from North Korea, Knowbe4 said.

It’s not the first such case of its kind, with the FBI issuing a warning late last year that ‘fake’ IT workers from North Korea were contracting in well-paid roles.

The ‘employee’ had passed through four video screenings, with his profile picture matching the person who appeared in the interviews (the image was a stolen image from Amazon and doctored using AI software).

KnowBe4's chief information security officer Brian Jack says that the hacker had applied "through the standard application process on a common job posting website".

"It looks like the face and likeness were modified from a photo of another individual to better resemble the identity of the person being interviewed," he told Yahoo News.

Incredibly, the worker also passed background checks. His identity was based on a real person with valid ID, which had been stolen, although checkers failed to spot certain discrepancies during the background checks.

The company sent the ‘employee’ a Mac workstation, but as soon as it arrived, it began to perform suspicious actions including loading malicious software (malware).

Jack said: "We detected malware attempting to be loaded and run on his laptop. This kicked off our security incident response process that resulted in a conversation with the individual."

When challenged, the ‘employee’ claimed he was troubleshooting problems with his router – and then said he was unavailable for a call.

Jack said: "When the story the person was giving did not match the commands we saw being run we became highly suspicious and quickly contained the device and terminated their access."

Knowbe4 immediately informed the FBI and shared data with Mandiant, a global cybersecurity firm.

Knowbe4 explained that these fake workers ask to get their workstation sent to an address in the US that is basically an "IT mule laptop farm".

The workers then VPN in from where they really physically are (North Korea or over the border in China) and work a night shift so that they seem to be working in US daytime.

SEOUL, SOUTH KOREA - 2024/07/01: A 24-hour Yonhapnews TV broadcast at Yongsan Railway Station in Seoul showing a news broadcast with file footage of a North Korean missile launch. North Korea fired two ballistic missiles in a northeastern direction July 1, South Korea's military said, with one of the launches possibly failing and the missile falling inland within the North Korea. (Photo by Kim Jae-Hwan/SOPA Images/LightRocket via Getty Images)
It's thought the hacker's earnings went to fund North Korea's ballistic missile programme. (SOPA Images/LightRocket via Getty Images)

IT workers have used VPNs and other secretive tactics to work at US hi-tech firms for years, according to the FBI.

In a warning issued late last year, the FBI and the U.S. Department of Justice (DOJ) said that IT workers have been secretly sending millions of dollars back to North Korea.

It’s believed that the funds are being used for the country’s ballistic missile programme.

Knowbe4 urges companies to ensure background checks are rigorous, acknowledging that when they investigated, they found that the names and other details the worker used were not consistent

The company also urges employers not to rely on email references only.

Warning signs of ‘rogue’ employees include people who use VOIP numbers rather than ‘real’ phone numbers; a lack of a ‘digital footprint’; and discrepancies in details such as date of birth.

Jack advises that companies should: "Review their pre-hire screening practices to ensure that they are thoroughly validating the identity of the person. This can mean requiring more strict identity validation for certain roles".